ClawHub
Back to skill

Security audit

Maverick Linear Mcp

Security checks across malware telemetry and agentic risk

Overview

This skill transparently connects an agent to Linear through OAuth and can read or change Linear workspace data when used for Linear tasks.

Install this only if you want the agent to access your Linear workspace through OAuth. Review requested actions before allowing create, save, or delete operations, and avoid passing non-Linear sensitive information through the Linear MCP tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The activation guidance says to use the skill whenever the user asks about Linear work or wants to read or write Linear data, which is broad enough to trigger the skill for many loosely related requests. Over-broad routing increases the chance of unnecessary external data transfer to Linear's hosted MCP service and accidental use of write-capable tools when a narrower local answer would suffice.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
The output includes Linear's `Instructions:` field (read it - it specifies, for example, how to format markdown content) and a JSON Schema for every tool's parameters. Treat this as the authoritative reference for the rest of the session.

**Step 2 - Call any tool from the catalog** using the form `<server>.<tool>` where `<server>` is `maverick-linear` (the local registration key, not the published skill name):

```sh
mcporter --config {baseDir}/mcporter.json call maverick-linear.<tool> <arg>=<value> ...
Confidence
88% confidence
Finding
Call any tool

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/init-mcporter-oauth.sh:77